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DETAILED ACTION 

A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has 
been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 
CFR 1.1 14. Applicant's submission filed on November 03, 2008 has been entered. Claims 1, 
11,18 and 20 have been amended. Claims 1, 2 and 4-39 are pending. 



Response to Arguments 

Applicant's arguments filed November 3, 2008 have been fully considered but they are 
not persuasive. Applicant argues that the art on record fails to teach determining if the one 
command is required to be associated with the security value, executing the one command ... 
with the security value; preventing execution of ... or if there is an error in the security value. 
Examiner disagrees. 

Examiner would point out that, Levergood teaches associating the security value with a 
set of uniform resource locators (URLs) corresponding to a set of commands of the distributed 
application [column 5, line 49-column 6, line 4 and column 7, lines 14-31], determining if the one 
command is required to be associated with the security value [column 5, lines 35-40], executing 
the one command if the one command is not required to be associated with the security value 
[column 5, lines 35-40], and if the one command is required to be associated with the security 
value [column 5, lines 41-50], checking the one URL for the security value (i.e., check if SID is 
attached to the URL) [column 5, lines 41-49 and column 6, line 65-column 6, lines 26 and 
column 7, lines 35-47], and returning an error message to the authenticated user if the security 
value is not found with the one command or preventing execution of the one command, wherein 
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the error message prompts the authenticated user for confirmation before the one command 
can be executed (i.e., if SID is not detected with the URL, redirecting it back to the client and 
requesting the client to submit authentication credentials again for validation/confirmation 
column 5, lines 46-50 and column 7, lines 41-49). Examiner would point out that the art on 
record teaches the claim limitations and therefore the rejection is respectfully maintained. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 2 and 4-39 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Levergood et al. US 5,708,780 (hereinafter Levergood) in view of applicant's own admitted prior 

art (hereinafter AAPA) and further in view of Abdo et al. US 7,080,404 B2 (hereinafter Abdo). 

As per claims 1, 4, 8-11, 18, 20, 21, 24, 26-29, 31, 32 and 35, Levergood teaches a 
method for protecting a distributed application user, comprising: 

providing a distributed application on a server (i.e., web-pages on a server) [column 5, 
lines 17-41]; 

authenticating a user of the distributed application [column 5, lines 41-50 and column 6, 
lines 27-50]; 
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determining, on the server, a single security value for the authenticated user (i.e., SID is 
generated for an authenticated user) [column 5, lines 41-64 and column 6, lines 53-column 7, 
line 13]; 

associating the security value with a set of uniform resource locators (URLs) 
corresponding to a set of commands of the distributed application [column 5, line 49-column 6, 
line 4 and column 7, lines 14-31]; 

communicating the security value to a client operated by the authenticated user [column 

5, line 49-column 6, line 4 and column 7, lines 14-31]; 

receiving one of the set of URLs on the server from the client [column 5, line 64-column 

6, line 16 and column 7, lines 14-21]; 

determining if the one command is required to be associated with the security value 
[column 5, lines 35-40]; 

executing the one command if the one command is not required to be associated with 
the security value [column 5, lines 35-40]; and 

if the one command is required to be associated with the security value [column 5, lines 

41-50]; 

checking the one URL for the security value (i.e., check if SID is attached to the URL) 
[column 5, lines 41-49 and column 6, line 65-column 6, lines 26 and column 7, lines 35-47], and 
returning an error message to the authenticated user if the security value is not found with the 
one command or preventing execution of the one command, wherein the error message 
prompts the authenticated user for confirmation before the one command can be executed (i.e., 
if SID is not detected with the URL, redirecting it back to the client and requesting the client to 
submit authentication credentials again for validation/confirmation column 5, lines 46-50 and 
column 7, lines 41-49). 
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Levergood teaches associating the security value with a set of uniform resource locators 
(URLs) corresponding to a set of commands of the distributed application [column 5, line 49- 
column 6, line 4 and column 7, lines 14-31], but is silent on a command comprising a command 
that can be used in a malicious attack against authenticated user. However, AAPA teaches 
associating the security value with a set of uniform resource locators (URLs) corresponding to a 
set of commands of the distributed application, wherein each command comprises a command 
that can be used in malicious attack against authenticated user [see specification pages 1-2 
paragraphs 2-4]. Therefore, it would have been obvious to one having ordinary skill in the art at 
the time of applicant's invention to employ the teachings of AAPA within the system of 
Levergood in order to enhance the security of the system. 

Levergood is silent on generating a security value for an authenticated user of the 
distributed application, wherein every user is authenticated prior to generating the security value 
and the security value is a pseudo-random number. 

Abdo teaches an authentication system, including generating a security value for an 
authenticated user of the distributed application, wherein every user is authenticated prior to 
generating the security value and the security value is a pseudo-random number [column 4, 
lines 18-53]. It would have been obvious to one having ordinary skill in the art at the time of 
applicant's invention to employ the teachings of Abdo within the system of Levergood and AAPA 
in order to further enhance security of the system. 

As per claims 2, 12, 19 and 30, AAPA further teaches the method, wherein the one 
command comprises a command to delete files of the authenticated user [see specification 
pages 1-2 paragraphs 2-4]. 
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As per claims 5, 17, 22 and 33, Levergood further teaches the method further 
comprising storing the security value on the server [column 6, lines 5-23]. 

As per claims 6, 13, 23 and 34, Levergood further teaches the method further 
comprising: associating the security value with session information corresponding to the 
authenticated user, and communicating the session information and the security value to the 
authenticated user [column 6, lines 5-23 and column 7, lines 14-21]. 

As per claims 7, 25 and 36, Levergood further teaches the method wherein the 
authenticated user operates a client that communicates with the server [column 6, lines 22-26]. 

As per claims 14 and 37, Levergood further teaches the method wherein the associating 
step comprises appending the security value to a set of URLs corresponding to a set of 
commands of the distributed application [column 5, line 49-column 6, line 4 and column 7, lines 
14-31]. 

As per claims 15 and 38, Levergood further teaches the method wherein the one URL is 
pre-constructed on the server, and wherein client receives the one URL and the associated 
security value from the server [column 7, lines 14-33]. 

As per claims 16 and 39, Levergood further teaches the method wherein the one URL is 
constructed on the client, and wherein the associating step comprises, extracting the security 
value on the client, and appending the security value to the one URL [column 5, lines52-65]. 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to BEEMNET W. DADA whose telephone number is (571 )272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Beemnet W Dada/ 
Examiner, Art Unit 2435 
December 6, 2008 



